Hi Jean-Francois, jean-francois wrote on Sat, Jul 25, 2009 at 10:11:40PM +0200:
> Am I allowed to assume that there is no security flaw within such > little peace of software? No, small software can have security flaws, too. But in this particular case, what exactly do you fear? - You do not need to run ddclient as a privileged user. So, compromising your system is very improbable. If you want to be paranoid, you can create a _ddclient user having write access to no files except /var/db/ddclient and use that one to run the ddclient daemon. - Information disclosure? The whole point of ddclient is publishing your IP address, so that's certainly not sensitive data. Any other sensitive data on your system should not be readable by random users, anyway. - Denial of service? Well, if your DynDNS provider chooses to, he can delete your account any time he wants, and then you won't be reachable via DNS any more. So, in case ddclient fails to update your address, that's no worse than the risk you are running when using dynamic DNS in the first place. So, dynamic DNS is not a concept you typically use for security-critical applications, and i don't think ddclient needs to cause major headaches security-wise, as long as you don't run it as root or some other privileged user, which you really shouldn't be doing. Yours, Ingo
